Analysis
-
max time kernel
53s -
max time network
113s -
platform
windows10_x64 -
resource
win10 -
submitted
28-10-2020 15:44
Static task
static1
Behavioral task
behavioral1
Sample
zloader.dll
Resource
win7
Behavioral task
behavioral2
Sample
zloader.dll
Resource
win10
General
-
Target
zloader.dll
-
Size
152KB
-
MD5
b035e24d80b7460ead4a95d0894ec36d
-
SHA1
d7e1da5a2e7c8655781806f74f7d5d71112ada88
-
SHA256
9f5ae7544311e1c85c7452df11f0d7943f1a970f71a8d3bc7b9b062c71830242
-
SHA512
3fb2896bc20875a2359af20fdfb7593909f378625fa8fb97a64d8db6111e8e9c5e61af296620093f9e782026d6d91b662a14242ac46c593940373e74e3c26205
Malware Config
Extracted
zloader
DLLobnova
02.09.2020dll
https://fqnvtmqsywublocpheas.ru/gate.php
https://fqnvtmqsywublocpheas.su/gate.php
https://fqnvtmqsywublocpheas.eu/gate.php
https://fqnvtmqsywuikdjsmasablocpheas.eu/gate.php
https://fqnssvtmqsywufblocpheas.eu/gate.php
https://fqnvtmqsywublfocpheas.eu/gate.php
https://fqnvtmqsyfwublocpheas.eu/gate.php
https://fqnvtmqsywubflocpheas.eu/gate.php
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yrvahik = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Futoiq\\hiboew.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2148 set thread context of 2096 2148 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2096 msiexec.exe Token: SeSecurityPrivilege 2096 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3872 wrote to memory of 2148 3872 rundll32.exe rundll32.exe PID 3872 wrote to memory of 2148 3872 rundll32.exe rundll32.exe PID 3872 wrote to memory of 2148 3872 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2096 2148 rundll32.exe msiexec.exe PID 2148 wrote to memory of 2096 2148 rundll32.exe msiexec.exe PID 2148 wrote to memory of 2096 2148 rundll32.exe msiexec.exe PID 2148 wrote to memory of 2096 2148 rundll32.exe msiexec.exe PID 2148 wrote to memory of 2096 2148 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zloader.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zloader.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken